Google Stored Unhashed G Suite Passwords for YearsPasswords Remained Encrypted for Enterprise Users
Google is notifying G Suite enterprise users and administrators this week that the company had inadvertently stored passwords in an unhashed, but still encrypted, state for several years because of a flaw in the platform's administration console.
Although a subset of G Suite passwords were stored in the unhashed mode for nearly 14 years, Google does not believe that any user data was stolen during this time. The company plans to monitor security audits over the next several months to ensure that no data was compromised, according to the blog post published Tuesday.
Google did not specify how many user accounts and passwords were affected.
Google is in the process of contacting G Suite administrators to reset affected accounts and passwords, according to the blog post. This version of the platform includes enterprise-grade version of the company's productivity tools, including Gmail, Google Docs and Google Drive.
The consumer version of Gmail was not affected, Google notes.
Although the flaw in the G Suite administration console dates to 2005, Google engineers only noticed the issue during maintenance checks earlier this year, Suzanne Frey, vice president for engineering and cloud trust at Google, writes in the blog post.
When Google was building out the functionality of its enterprise-grade G Suite platform in 2005, engineers gave administrators a tool to set and recover passwords, which allowed them to upload or manually set user passwords for users.
This tool, however, also stored passwords in an unhashed state, according to Google.
Normally, a user's password would be processed through the company's cryptography algorithm to scramble it before saving it to a disk and encrypting it. Typically, a common password is supposed to be stored as a random set of numbers and letters such as "72i32hedgqw23328." In these cases, however, this hashing system did not work properly.
"We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password," Frey writes. "This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords."
As Google investigated the hashing issue in the admin console, engineers also found that other passwords belonging to newer G Suite customer sign-ups were also being stored without proper hashing. In this case, the passwords were only stored for 14 days since the accounts were new, and now the company has fixed this flaw as well.
"This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords," Frey writes. "We will continue with our security audits to ensure this is an isolated incident."
In the past several years, Google has been proactive in ensuring user data is encrypted. In this case, however, the threat could come from employees who could have accessed the passwords in their unhashed state, says Richard Gold, head of security engineering at Digital Shadows, a London-based security firm.
"It is likely that any threat to its customers would come from its own employees," Gold tells Information Security Media Group. "That said, we deem the impact to potentially be low, and as yet, we have not identified any potential activity from the criminal forums and marketplaces which we monitor."
Security Issues in Plain Sight
Google is not the only tech giant to have trouble properly storing passwords.
Earlier this year, Facebook disclosed that an internal security problem meant that 200 to 600 million user passwords were stored in plaintext, some of which dated to 2012. As with this week's G Suite news, it appears only that internal Facebook employees could access that data, according to numerous reports (see: Report: Facebook Stored Millions of Passwords in Plaintext).
Later, Facebook acknowledged that a similar problem affected Instagram users as well. These issues are part of a series of problems that the social media giant has faced when it comes to storing and protecting user data (see: Facebook Password, Email Contact Mishandling Worsens).
The flaw within G Suite, however, is the second big security issue Google has faced within the past two weeks. Earlier this month, the company announced it would replace its Titan security keys after discovering a vulnerability in the device's Bluetooth pairing process, according to ZDNet.
These types of errors are making it too easy for cybercriminals to exploit, says Joseph Carson, chief security scientist at Thycotic, a Washington-based security firm.
"This simply makes it too easy for cybercriminals in a world when we must make it more difficult. Passwords are meant to be a secret," Carson tells ISMG. "This poor practice by Google means that G Suite user passwords are not a secret, thus extremely reducing the security to being easily abused by both external criminals or malicious insiders within Google itself."